Weekend Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

Examstrust Logo
examstrust mcafee
  1. Home
  2. Salesforce
  3. Identity and Access Management Designer
  4. Identity-and-Access-Management-Architect - Salesforce Certified Identity and Access Management Architect (SP23)

Salesforce Identity-and-Access-Management-Architect Salesforce Certified Identity and Access Management Architect (SP23) Exam Practice Test

Page: 1 / 25
Total 245 questions
Get Identity-and-Access-Management-Architect Full Access Download Identity-and-Access-Management-Architect PDF

Salesforce Certified Identity and Access Management Architect (SP23) Questions and Answers

PDF + Testing Engine

  • Product Type: PDF + Testing Engine
$59.5  $169.99
Add to Cart

Testing Engine

  • Product Type: Testing Engine
$42  $119.99
Add to Cart

PDF Study Guide

  • Product Type: PDF Study Guide
$36.75  $104.99
Add to Cart
Question 1

A pharmaceutical company has an on-premise application (see illustration) that it wants to integrate with Salesforce.

The IT director wants to ensure that requests must include a certificate with a trusted certificate chain to access the company's on-premise application endpoint.

What should an Identity architect do to meet this requirement?

Options:

A.

Use open SSL to generate a Self-signed Certificate and upload it to the on-premise app.

B.

Configure the company firewall to allow traffic from Salesforce IP ranges.

C.

Generate a certificate authority-signed certificate in Salesforce and uploading it to the on-premise application Truststore.

D.

Upload a third-party certificate from Salesforce into the on-premise server.

Question 2

Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track access granted to various on-premises and cloud applications, including Salesforce. Salesforce is currently used to authenticate users.

How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the approved profiles and permission sets?

Options:

A.

Build an integration that performs a remote call-in to the Salesforce SOAP or REST API.

B.

Use a login flow to query the helpdesk to validate user status.

C.

Have the helpdesk initiate an IdP-initiated Just-m-Time provisioning Security Assertion Markup Language flow.

D.

Use Salesforce Connect to integrate with the helpdesk application.

Question 3

Containers (UC) uses a legacy Employee portal for their employees to collaborate. Employees access the portal from their company’s internal website via SSO. It is set up to work with SiteMinder and Active Directory. The Employee portal has features to support posing ideas. UC decides to use Salesforce Ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to integrate Employee portal ideas with Salesforce idea through the API. What is the role of Salesforce in the context of SSO, based on this scenario?

Options:

A.

Service Provider, because Salesforce is the application for managing ideas.

B.

Connected App, because Salesforce is connected with Employee portal via API.

C.

Identity Provider, because the API calls are authenticated by Salesforce.

D.

An independent system, because Salesforce is not part of the SSO setup.

Question 4

Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to 65« set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?

Options:

A.

IdP-initiated SSO will NOT work.

B.

Neither SP- nor IdP-initiated SSO will work.

C.

Either SP- or IdP-initiated SSO will work.

D.

SP-initiated SSO will NOT work

Question 5

Universal containers (UC) wants to integrate a Web application with salesforce. The UC team has implemented the Oauth web-server Authentication flow for authentication process. Which two considerations should an architect point out to UC? Choose 2 answers

Options:

A.

The web application should be hosted on a secure server.

B.

The web server must be able to protect consumer privacy

C.

The flow involves passing the user credentials back and forth.

D.

The flow will not provide an Oauth refresh token back to the server.

Question 6

Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regional leads of GS need access to UC's Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track of regional shipping KPIs. UC internally uses a third-party cloud analytics tool for capacity planning and UC decided to provide access to this tool to a subset of GS employees. In addition to regional leads, the GS capacity planning team would benefit from access to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identity provider for Internal users and would like to follow the same approach for the GS users as well. What are the most appropriate license types for GS Tregional Leads and the GS Capacity Planners? Choose 2 Answers

Options:

A.

Customer Community Plus license for GS Regional Leads and External Identity for GS Capacity Planners.

B.

Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity Planners.

C.

Identity Licence for GS Regional Leads and External Identity license for GS capacity Planners.

D.

Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners.

Question 7

Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app. Which two scope values should an Architect recommend to UC? Choose 2 answers.

Options:

A.

Custom_permissions

B.

Api

C.

Refresh_token

D.

Full

Question 8

Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce.

What should a identity architect recommend to create partners?

Options:

A.

On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping.

B.

Create a custom page m Experience Cloud to self register partner with Experience Cloud and Ping identity store.

C.

Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs.

D.

Allow partners to register through the IdP and create partner users in Salesforce through an API.

Question 9

Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario?

Options:

A.

Identity store

B.

Authentication store

C.

Identity provider

D.

Service provider

Question 10

Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web Server Flow uses the OAuth 2.0 authorization code grant type).

Which three OAuth concepts apply to this flow?

Choose 3 answers

Options:

A.

Verification URL

B.

Client Secret

C.

Access Token

D.

Scopes

Question 11

A technology enterprise is planning to implement single sign-on login for users. When users log in to the Salesforce User object custom field, data should be populated for new and existing users.

Which two steps should an identity architect recommend?

Choose 2 answers

Options:

A.

Implement Auth.SamlJitHandler Interface.

B.

Create and update methods.

C.

Implement RegistrationHandler Interface.

D.

Implement SesslonManagement Class.

Question 12

Which two statements are capable of Identity Connect? Choose 2 answers

Options:

A.

Synchronization of Salesforce Permission Set Licence Assignments.

B.

Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO.

C.

Support multiple orgs connecting to multiple Active Directory servers.

D.

Automated user synchronization and de-activation.

Question 13

An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to authenticate to Salesforce and then make API calls against the REST API.

One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce mini need for end user interaction and maximizes security.

Which OAuth flow should be used to fulfill the requirement?

Options:

A.

JWT Bearer Flow

B.

Web Server Flow

C.

User Agent Flow

D.

Username-Password Flow

Question 14

A financial enterprise is planning to set up a user authentication mechanism to login to the Salesforce system. Due to regulatory requirements, the CIO of the company wants user administration, including passwords and authentication requests, to be managed by an external system that is only accessible via a SOAP webservice.

Which authentication mechanism should an identity architect recommend to meet the requirements?

Options:

A.

OAuth Web-Server Flow

B.

Identity Connect

C.

Delegated Authentication

D.

Just-in-Time Provisioning

Question 15

A group of users try to access one of universal containers connected apps and receive the following error message : "Failed : Not approved for access". what is most likely to cause of the issue?

Options:

A.

The use of high assurance sections are required for the connected App.

B.

The users do not have the correct permission set assigned to them.

C.

The connected App setting "All users may self-authorize" is enabled.

D.

The salesforce administrators gave revoked the Oauth authorization.

Question 16

A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company would like to limit its investments and prefer not to procure additional applications to satisfy the requirements.

What is recommended to ensure these requirements are met ?

Options:

A.

Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo.

B.

Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems.

C.

Add a central identity system that federates between the ADFS systems and integrate with Salesforce for single sign-on.

D.

Configure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce-

Question 17

Universal containers wants to implement single Sign-on for a salesforce org using an external identity provider and corporate identity store. What type of Authentication flow is required to support deep linking?

Options:

A.

Web server Oauth SSO flow.

B.

Identity-provider-initiated SSO

C.

Service-provider-initiated SSO

D.

Start URL on identity provider

Question 18

Which two security risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce? Choose 2 answers

Options:

A.

Users leaving laptops unattended and not logging out of Salesforce.

B.

Users accessing Salesforce from a public Wi-Fi access point.

C.

Users choosing passwords that are the same as their Facebook password.

D.

Users creating simple-to-guess password reset questions.

Question 19

A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal.

Which two features should be utilized to provide users with login and identity services for the third-party application?

Choose 2 answers

Options:

A.

Use the App Launcher with single sign-on (SSO).

B.

External a Data source with Named Principal identity type.

C.

Use a connected app.

D.

Use Delegated Authentication.

Question 20

Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every user that is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users 65* have access to every org. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance. What approach should an Architect recommend to UC?

Options:

A.

Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs.

B.

Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs.

C.

Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.

D.

Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs.

Question 21

Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce.

What should be done to fulfill the requirement?

Choose 2 answers

Options:

A.

Setup Salesforce as an identity provider (IdP) for order Tracking.

B.

Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking,

C.

Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.

D.

Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion.

Question 22

Universal Containers (UC) wants to build a few applications that leverage the Salesforce REST API. UC has asked its Architect to describe how the API calls will be authenticated to a specific user. Which two mechanisms can the Architect provide? Choose 2 Answers

Options:

A.

Authentication Token

B.

Session ID

C.

Refresh Token

D.

Access Token

Question 23

An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:

1. Users should not have to login every time they use the app.

2. The app should be able to make calls to the Salesforce REST API.

3. End users should NOT see the OAuth approval page.

How should the identity architect configure the Salesforce connected app to meet the requirements?

Options:

A.

Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved".

B.

Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved".

C.

Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved".

D.

Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize".

Question 24

An Enterprise is using a Lightweight Directory Access Protocol (LDAP ) server as the only point for user authentication with a username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO).

Mow can end users change their password?

Options:

A.

Users once logged In, can go to the Change Password screen in Salesforce.

B.

Users can click on the "Forgot your Password" link on the Salesforce.com login page.

C.

Users can request the Salesforce Admin to reset their password.

D.

Users can change it on the enterprise LDAP authentication portal.

Question 25

Universal containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The it team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly, including the correct assignment of profiles, roles and groups. Which two optimal solutions should UC use to provision users in salesforce? Choose 2 answers

Options:

A.

Use the salesforce REST API to sync users from active directory to salesforce

B.

Use an app exchange product to sync users from Active Directory to salesforce.

C.

Use Active Directory Federation Services to sync users from active directory to salesforce.

D.

Use Identity connect to sync users from Active Directory to salesforce

Question 26

A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other Non Salesforce internal applications once users authenticate with Salesforce. The apps self-authorize, and users are permitted to use the apps once they have logged into Salesforce.

How should an identity architect meet the above requirements with the privately distributed mobile app?

Options:

A.

Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other Non Salesforce internal apps.

B.

Configure Mobile App settings in connected app and Salesforce as identity provider for non-Salesforce internal apps.

C.

Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other non-Salesforce internal apps.

D.

Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps.

Question 27

Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third-party party SSO solution is used for all corporate applications, including Salesforce.

NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisiorung of users in Salesforce.

What role does identity Connect play in the outlined requirements?

Options:

A.

Service Provider

B.

Single Sign-On

C.

Identity Provider

D.

User Management

Question 28

After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement? Choose 2 answers

Options:

A.

Require users to provide their RSA token along with their credentials.

B.

Require users to supply their email and phone number, which gets validated.

C.

Require users to enter a second password after the first Authentication

D.

Require users to use a biometric reader as well as their password

Question 29

Universal containers (UC) is setting up their customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default account record. What will happen when customers self-register in the community?

Options:

A.

The self-registration process will produce an error to the user.

B.

The self-registration page will ask user to select an account.

C.

The self-registration process will create a person Account record.

D.

The self-registration page will create a new account record.

Question 30

Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorised access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location. Which two options should an Architect recommend? Choose 2 answers

Options:

A.

Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app.

B.

Remove existing restrictions on IP ranges for all types of user access.

C.

Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app.

D.

Use Login Flow to bypass IP range restriction for the mobile app.

Question 31

How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?

Options:

A.

Call SOAP API upsertQ on user object.

B.

Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.

C.

Run registration handler on incoming OAuth responses.

D.

Call OpenID Connect (OIDC)-userinfo endpoint with a valid access token.

Question 32

Universal Containers (UC) is looking to purchase a third-party application as an Identity Provider. UC is looking to develop a business case for the purchase in general and has enlisted an Architect for advice. Which two capabilities of an Identity Provider should the Architect detail to help strengthen the business case? Choose 2 answers

Options:

A.

The Identity Provider can authenticate multiple applications.

B.

The Identity Provider can authenticate multiple social media accounts.

C.

The Identity provider can store credentials for multiple applications.

D.

The Identity Provider can centralize enterprise password policy.

Question 33

Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials.

The first time a customer logs in to the Experience Cloud site through SSO, a user record needs to be created automatically.

Which solution should an identity architect recommend in order to automatically provision users in Salesforce upon login?

Options:

A.

Just-in-Time (JIT) provisioning

B.

Custom middleware and web services

C.

Custom login flow and Apex handler

D.

Third-party AppExchange solution

Question 34

Universal Containers (UC) would like its community users to be able to register and log in with Linkedin or Facebook Credentials. UC wants users to clearly see Facebook &Linkedin Icons when they register and login. What are the two recommended actions UC can take to achieve this Functionality? Choose 2 answers

Options:

A.

Enable Facebook and Linkedin as Login options in the login section of the Community configuration.

B.

Create custom Registration Handlers to link Linkedin and facebook accounts to user records.

C.

Store the Linkedin or Facebook user IDs in the Federation ID field on the Salesforce User record.

D.

Create custom buttons for Facebook and inkedin using JAVAscript/CSS on a custom Visualforce page.

Question 35

Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the salesforce App Launcher to control the Apps that are available to individual users. Which three steps are required to make this happen?

Options:

A.

Add each connected App to the App Launcher with a Start URL.

B.

Set up an Auth Provider for each External Application.

C.

Set up Salesforce as a SAML Idp with My Domain.

D.

Set up Identity Connect to Synchronize user data.

E.

Create a Connected App for each external application.

Question 36

A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which authentication and verification methods meet the Salesforce criteria for secure authentication.

Which three functions meet the Salesforce criteria for secure mfa?

Choose 3 answers

Options:

A.

username and password + SMS passcode

B.

Username and password + secunty key

C.

Third-party single sign-on with Mobile Authenticator app

D.

Certificate-based Authentication

E.

Lightning Login

Question 37

Northern Trail Outfitters (NTO) believes a specific user account may have been compromised. NTO inactivated the user account and needs U perform a forensic analysis and identify signals that could Indicate a breach has occurred.

What should NTO's first step be in gathering signals that could indicate account compromise?

Options:

A.

Review the User record and evaluate the login and transaction history.

B.

Download the Setup Audit Trail and review all recent activities performed by the user.

C.

Download the Identity Provider Event Log and evaluate the details of activities performed by the user.

D.

Download the Login History and evaluate the details of logins performed by the user.

Load More Identity-and-Access-Management-Architect Questions
Page: 1 / 25
Total 245 questions
Get Identity-and-Access-Management-Architect Full Access Download Identity-and-Access-Management-Architect PDF